Data Protection News Sept 18

Round-up of Data Breaches and ICO Fines
Marketing – Informed Consent Vs Legitimate Interests
The new NIS Regulation has come into force
Equifax Issued Maximum Fine
September 28 2019

Equifax Max ICO Fine

Equifax have been fined £500,000 for a breach that occurred between May and July 2017. 146 Million records were compromised including 15 million UK records. On 20th September 2018 the ICO issued a maximum fine under the Data Protection Act 1998 because there were multiple failings – lack of lawful consent, keeping data that should have been deleted, failing to adhere to their own encryption policy and failing to patch a critical security weakness. This fine was small compared to the total cost of the breach (est. $300 million) but under GDPR the maximum fine could have been as high as £102 million.

Marketing – Informed Consent Vs Legitimate Interests

Marketing companies are still a hotbed for ICO fines, sometimes through a lack of due diligence and sometimes due to misinterpretation of current legislation. It doesn’t help that the PECR (Privacy and Electronic Communications Regulation) and the GDPR (General Data Protection Regulation) are not 100% aligned.

PECR makes a distinction between contact information that is only for personal use (e.g. or only for business use, (e.g. It allows for email marketing under a ‘soft opt in’ if the marketing is for existing business customers and for similar products and services to which they already subscribe. GDPR treats all personally identifiable information the same and you need to specify one of six lawful bases for processing any personal data.

A recent LinkedIn post included a scanned letter from the ICO. The paraphrased question posed was: Can you use legitimate interests to market to personal corporate email addresses, where the soft opt-in does not apply? The ICO response was: You do not always need prior consent for marketing emails… you may be able to rely on Legitimate Interests to justify some of your business to business marketing.

“Hurrah!” marketeers cried “This is a game changer!”

At which point I gave a sigh and started trying to do damage control… no, not a game changer at all.

Yes, either informed consent or legitimate interests can be used as a lawful basis for marketing. But the aim of GDPR is to give people greater visibility and control of how their information is used and either of these lawful bases enforce this ethos – It is no less onerous for companies to use legitimate interests, than it is to use informed consent.

If you are using consent then data subjects must be explicitly informed what you intend to do with their data, you need to have an audit trail of their given consent and they must be able to withdraw consent as easily as it was given.

If you want to rely on legitimate interests, data subjects must be informed of this lawful basis for marketing in the privacy notices that you issue to them when you collect their data. They must also be informed of their right to object to marketing under legitimate interests and any objections must be immediately acted on (i.e. they can still ‘opt out’).

So, while there is a choice of method, I am happy to say that there is no loop hole to get away from the due diligence of informing people about your intent to market and giving them the ability to easily opt out.

Data Breaches

The number of Data Breaches being reported in the media is still a consistent rate of 120 – 140 breaches per quarter. The biggest global breaches from Q3 were:

  • Hiazhu hotel chain – 130 million customers affected
  • Chegg – 40 million customers
  • Timehop – 21 million users

There were also some notable UK breaches in the last 3 months:

British Airways – credit card details of 380,000 customers were stolen during 2-week cyber-attack on their website.

Butlins – suffered a data hack affecting 34,000 customers caused by a phishing email.

NHS – suffered a data breach caused by a coding error which exposed 150,000 patient records.

ICO Fines

As well as the record breaking Equifax fine, there were other six-figured fines in the last quarter:

  • BUPA Insurance Services fined £175,000
  • Lifecycle Marketing fined £140,000
  • AMS Marketing fined £100,000
  • Independent Inquiry into Child Sexual Abuse fined £200,000

The total of ICO fines for 2018 so far is £4.8m which has exceeded the 2017 year-end total of £4.2m.

For more detailed information about ICO fines, see the ICO enforcement webpage: enforcement/

Did you know?...

Network and Information Systems Regulation (NIS)

With all the hype about GDPR, you may have missed that NIS also came into force this year. It is the UKs implementation of the EU NIS Directive that aims to raise the level of security and resilience of information systems for online marketplaces and critical services (e.g. utilities, healthcare and transport). More information about NIS can be found on the ICO or National Cyber Security Centre websites

Interactive Online GDPR Reference

There are several online versions of the GDPR text which have been compiled and openly shared by consultancies for ease of navigation. Here is one good example, created by Intersoft, for you to bookmark!